Emerging Issues Session B10 Integrating BCM and Development Life Cycles Doug Weldon, FBCI Vice President of Product & Infrastructure Risk Management, Thomson Reuters President of the BCI USA Chapter 1
Presentation Outline What is a life cycle process? Is the BCM management system a life cycle process? Where are we today? Where should we be going? How does this potentially change BCM as a life cycle process? What are the benefits? Potential risks?
What is a Development Life Cycle The structured methodology for managing the full life cycle of a product, business process, or IT system from initial concept through end of life. Example: The Systems development life cycle (SDLC), or Software development life cycle in systems engineering, information systems and software engineering, is a process of creating or altering information systems, and the models and methodologies that people use to develop these systems.* * Wikipedia
Example of SDLC Life Cycle* * Wikipedia
Most Famous Life Cycle CMMI* (Capability Maturity Model Integration) is a process improvement approach that provides organizations with the essential elements of effective processes, which will improve their performance. Applicable to more than software projects (acquisitions, services performance, etc.) Certified levels of performance (1 5) * Software Engineering Institute of Carnegie Mellon University
Another Very Important Life Cycle RMM* (Resiliency Management Model) is a process improvement approach that provides organizations with the essential elements of effective operational risk management, which will improve their resiliency. Resiliency in this model is inclusive of Security, Business/Service Continuity, and Operations Management (based on ISO 27000, BS2599, ITIL) Certified levels of performance (1 4) * Software Engineering Institute of Carnegie Mellon University cert.org
General Benefits of Life Cycle Processes* Decreased Costs Improved On time Delivery Improved Productivity Improved Quality Improved Customer Satisfaction Improved Return on Investment Improvement/Maturity Measures * www.sei.cmu.edu
BCM Program Life Cycle Process* * ISO 22313 Draft for Comment
Essentially BS25999 2 Revisited
Applicable Life Cycles Requirements standards (e.g., BS25999 2 or ISO22301) provide specifications for audits for certifying a company s BCMS ISO 9001 drives the continuous improvement of the BCMS, as with all ISO life cycles (PDCA) Practices (e.g., BS2599 1 or ISO22313) standards describe BCM best practices that describe the process that drives the specific BCM life cycle.
Lifecycle for BC/DR Capabilities
Where Are We Today? Nominal Case: Established BCM program Process for establishing capabilities Many capabilities established and maintained Build BCM solutions after product/process/system is implemented Better Case: Compliant or even certified program Capabilities built and maintained to best practices But are they the highest quality/lowest cost?
Where should we be going? Best Case: Demonstrate compliance with best practices Anchor on identified stakeholder requirements (nonfunctional requirements as important as functional requirements) Design optimal (cost vs. risk) solutions based on requirements Regularly validate compliance with (changing) requirements, perform needed corrective actions, report results, and audit findings Build BCM solutions as products, processes, or systems are built!
How do we do that? The key is always the best possible identification of requirements A focused discipline on compliance with the BCM life cycle process drives and continuously improves quality And this strongly suggests that the BCM and product/process/system life cycle processes should be integrated!
Focus on Identifying and Validating Requirements Types of Requirements: Functional Requirements of the Product/Proposition What the product does for the customer; i.e., types of transactions the customers execute and what kinds of content result. Non functional Requirements of the Product/Proposition How the product delivers the functionality in terms of performance, security, recoverability, availability, reliability, and other risk related factors. Customers Products Processes, Systems, Infrastructures Suppliers C(1) C(2) C(3) P(1) P(2) P(3) P(4) P(5) P(6) I(1) I(2) I(3) I(4) S(1) S(2) S(3) S(4) S(5)
Timeline for Identifying BCM Requirements
Product/Process/System Life Cycle PROCESS OF CONTINUOUS IMPROVEMENT Act Business Proposal Business Case Define/Design Develop Implement Operate & Maintain Retire/Reengineer MEET ROI SUNSET CONCEPTION APPROVAL CONFIRMATION READY TO DEPLOY READY FOR PRODUCTION READY FOR SUNSET Plan Do Check
What Does it Mean to Integrate Life Cycles? Analyze each of the life cycle process steps to establish the feasibility of integration Establish correspondence between life cycle process steps Rationalize the steps to ensure that the steps produce analogous, value adding deliverables Interleave the activities of the corresponding process steps into a uniform activity set.
BCM Planning and SDLC System Development Life Cycle (SDLC) 1.Initiation 2.Development/Acquisition 3.Implementation 4.Operation and Maintenance (Test) 5.Disposal Phase 1: Initiation Phase 5: Disposal Phase 2: Development/ Acquisition Phase 4: Operation/ Maintenance Phase 3: Implementation Initiation/Definition Design/Development Implementation Test Operations SDLC Disposal
Product/Process/System Life Cycle PROCESS OF CONTINUOUS IMPROVEMENT Business Proposal Business Case Define/Design Develop Implement Operate & Maintain Retire/Reengineer MEET ROI SUNSET CONCEPTION APPROVAL CONFIRMATION READY TO DEPLOY READY FOR PRODUCTION READY FOR SUNSET Understand the Organization BCM Strategy BCM Response Test and Maintain
BCM Life Cycle Change Implications BCM life cycle integration into the product/process/system development life cycle of the enterprise potentially drives changes into the BCM process itself: What is a risk assessment in this integrated view? What is a BIA in this integrated view? How is BCM strategy changed by integrated architectures? Many other potential implications.
Benefits and Risks Benefits BCM Program integrated into Corporate strategies Attention to BCM at the right times in the life cycle Greater assurance of optimal cost vs risk solutions Getting requirements right the first time Designs more truly fit for purpose Better integration into the corporate culture Risks Corporation s development life cycle is undisciplined BCM Program is under resourced to deliver.
QUESTIONS? April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona